Skip to content

Backport hotfixes 29-06-2026#2814

Merged
sam0x17 merged 21 commits into
devnet-readyfrom
hotfixes-29-06-2026
Jun 30, 2026
Merged

Backport hotfixes 29-06-2026#2814
sam0x17 merged 21 commits into
devnet-readyfrom
hotfixes-29-06-2026

Conversation

@l0r1s

@l0r1s l0r1s commented Jun 29, 2026

Copy link
Copy Markdown
Collaborator

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

AI review — see the sticky summary comment for the verdict and the inline comments below for specific findings.


// Temporarily allow the destination coldkey to receive this stake even if some of it is
// locked; swap_coldkey_locks will copy the source AccountFlags over afterward.
Self::set_accept_locked_alpha(new_coldkey, true);

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[MEDIUM] Coldkey swap now writes AccountFlags without a weight update

This call mutates AccountFlags before every coldkey swap, and swap_coldkey_locks now also removes/inserts AccountFlags when moving the source flags to the destination. The generated weights still list AccountFlags as r:1 w:0 for both swap_coldkey_announced and swap_coldkey, and weights.rs is unchanged in this PR, so these runtime extrinsics are undercharged for the new storage writes. Regenerate the benchmarks/weights, or manually update the swap weights to include the additional AccountFlags read/write operations.

@github-actions

github-actions Bot commented Jun 29, 2026

Copy link
Copy Markdown
Contributor

🛡️ AI Review — Skeptic (security review)

VERDICT: VULNERABLE

BASELINE scrutiny: l0r1s has repo write permission, an established account, and substantial prior subtensor activity; branch hotfixes-29-06-2026 -> devnet-ready; no Gittensor allowlist match found.

The diff does not modify .github/ai-review/*, .github/copilot-instructions.md, dependency manifests, lockfiles, or build scripts. The prior AccountFlags weight-accounting issue is still present.

Findings

Sev File Finding
MEDIUM pallets/subtensor/src/swap/swap_coldkey.rs:28 Coldkey swap still writes AccountFlags without a weight update inline

Prior-comment reconciliation

  • ad1ba5ec: not addressed — The current diff still adds AccountFlags writes in coldkey swap paths without updating the generated swap_coldkey / swap_coldkey_announced weights.

Conclusion

The PR appears legitimate, but the coldkey-swap locked-alpha change still undercharges newly-added runtime storage writes. Regenerate or adjust the affected weights before merge.


📜 Previous run (superseded)
Sev File Finding Status
MEDIUM pallets/subtensor/src/swap/swap_coldkey.rs:28 Coldkey swap now writes AccountFlags without a weight update ➡️ Carried forward to current findings
The current diff still adds AccountFlags writes in coldkey swap paths without updating the generated swap_coldkey / swap_coldkey_announced weights.

# 🔍 AI Review — Auditor (domain review) has not yet run on this PR.

@github-actions

Copy link
Copy Markdown
Contributor

🔄 AI review updated — Skeptic: VULNERABLE

@l0r1s l0r1s added the skip-cargo-audit This PR fails cargo audit but needs to be merged anyway label Jun 30, 2026

@github-actions github-actions Bot left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

AI review — see the sticky summary comment for the verdict and the inline comments below for specific findings.


// Temporarily allow the destination coldkey to receive this stake even if some of it is
// locked; swap_coldkey_locks will copy the source AccountFlags over afterward.
Self::set_accept_locked_alpha(new_coldkey, true);

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

[MEDIUM] Coldkey swap still writes AccountFlags without a weight update

do_swap_coldkey now calls set_accept_locked_alpha, and swap_coldkey_locks now moves/removes AccountFlags, but generated WeightInfo::{swap_coldkey, swap_coldkey_announced} still account AccountFlags as r:1 w:0; the PR does not update pallets/subtensor/src/weights.rs. These extrinsics therefore undercharge the added runtime storage writes. Regenerate benchmarks or manually bump both weights to include the new AccountFlags reads/writes before merge.

@github-actions

Copy link
Copy Markdown
Contributor

🔄 AI review updated — Skeptic: VULNERABLE

@sam0x17 sam0x17 merged commit 2519652 into devnet-ready Jun 30, 2026
240 of 250 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

skip-cargo-audit This PR fails cargo audit but needs to be merged anyway

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants